Security Gateway and IPsec

設定例

作成日1998/Jun/09
最終変更日2018/Nov/06
文書サイズ 10KB

  1. 注意事項
  2. 設定例.1
  3. 設定例.2
  4. 設定例.3
  5. 設定例.4
  6. 設定例.5

注意事項

IPsecを利用する場合には、セキュリティ・ゲートウェイ(SGW)の アドレスを正しく認識しておく必要があります。 以下の3つのコマンドで設定するIPアドレスは、SGWのアドレス と一致していなければなりません。

複数のインタフェースにIPアドレスが付加される場合、 SGWのアドレスは、互いに最も近いインタフェースのアドレス となります。例えば、WANを挟んでSGWを配置する場合、 PPインタフェースに付与されたIPアドレスが SGWのアドレスになります。

鍵交換プロトコルIKEは、鍵交換のためにUDPの500番のポートを 利用します。IPマスカレードやフィルタを利用する際には、 UDPの500番を対象外とするように注意してください。

(設定例.1) 
       ----------+-------------------- 192.168.100.0/24
                 |
                 | 192.168.100.1     
            +----+----+
            | RT140i  |
            +----+----+
                 : pp local = 172.16.1.1 (SGWのアドレス)
                 :
                 :
                 :
                 : pp local = 172.16.1.2 (SGWのアドレス)
            +----+----+
            | RT100i  |
            +----+----+
                 | 192.168.101.1
                 |
       ----------+-------------------- 192.168.101.0/24

[RT140iの設定]

bri local address 1 03-123-4567
ip lan address 192.168.100.1/24
ipsec ike host 172.16.1.2
ipsec pre-shared-key 172.16.1.2 text himitsu
ipsec sa policy 101 172.16.1.2 esp des-cbc md5-hmac
pp select 1
pp bind bri 1
isdn remote address call 06-111-9999
ip pp local address 172.16.1.1/28
ip pp remote address 172.16.1.2
nat use on
nat masquerade on
nat address private 192.168.100.1-192.168.100.254
pp enable 1
tunnel select 1
ip tunnel route add net 192.168.101.0/24 2
ipsec tunnel 101
tunnel enable 1

[RT100iの設定]

isdn local address 06-111-9999
ip lan address 192.168.101.1/24
ipsec ike host 172.16.1.1
ipsec pre-shared-key 172.16.1.1 text himitsu
ipsec sa policy 101 172.16.1.1 esp des-cbc md5-hmac
pp select 1
isdn remote address call 03-123-4567
ip pp local address 172.16.1.2/28
ip pp remote address 172.16.1.1
nat address private 192.168.101.1-192.168.101.254
pp enable 1
tunnel select 1
ip tunnel route add net 192.168.100.0/24 2
ipsec tunnel 101
tunnel enable 1
(設定例.2) 
       ----------+-------------------- 192.168.100.0/24
                 |
                 | 192.168.100.1 (SGWのアドレス)     
            +----+----+
            | RT140i  |
            +----+----+
                 :  
                 :
            (Unnumbered)
                 :
                 : 
            +----+----+
            | RT100i  |
            +----+----+
                 | 192.168.101.1 (SGWのアドレス)
                 |
       ----------+-------------------- 192.168.101.0/24

[RT140iの設定]

bri local address 1 03-123-4567
ip lan address 192.168.100.1/24
ipsec ike host 192.168.101.1
ipsec pre-shared-key 192.168.101.1 text himitsu
ipsec sa policy 101 192.168.101.1 esp des-cbc md5-hmac
pp select 1
pp bind bri 1
ip pp route add host 192.168.101.1 2
isdn remote address call 06-111-9999
pp enable 1
tunnel select 1
ip tunnel route add net 192.168.101.0/24 2
ipsec tunnel 101
tunnel enable 1

[RT100iの設定]

isdn local address 06-111-9999
ip lan address 192.168.101.1/24
ipsec ike host 192.168.100.1
ipsec pre-shared-key 192.168.100.1 text himitsu
ipsec sa policy 101 192.168.100.1 esp des-cbc md5-hmac
pp select 1
isdn remote address call 03-123-4567
ip pp route add host 192.168.100.1 2
pp enable 1
tunnel select 1
ip tunnel route add net 192.168.100.0/24 2
ipsec tunnel 101
tunnel enable 1
(設定例.3) 
       ----------+-------------------- 192.168.10.0/24
                 | 192.168.10.1 (secondary)
                 | 192.168.100.1 (SGWのアドレス)     
            +----+----+
            | RT140i  |
            +----+----+
                 :  
                 :
            (Unnumbered)
                 :
                 : 
            +----+----+
            | RT100i  |
            +----+----+
                 | 192.168.101.1 (SGWのアドレス)
                 | 192.168.11.1 (secondary)
                 |
       ----------+-------------------- 192.168.11.0/24

[RT140iの設定]

bri local address 1 03-123-4567
ip lan address 192.168.100.1/24
ip lan secondary address 192.168.10.1/24
ipsec ike host 192.168.101.1
ipsec pre-shared-key 192.168.101.1 text himitsu
ipsec sa policy 101 192.168.101.1 esp des-cbc md5-hmac
pp select 1
pp bind bri 1
ip pp route add net 192.168.101.1 2
isdn remote address call 06-111-9999
pp enable 1
tunnel select 1
ip tunnel route add net 192.168.11.0/24 2
ipsec tunnel 101
tunnel enable 1

[RT100iの設定]

isdn local address 06-111-9999
ip lan address 192.168.101.1/24
ip lan secondary address 192.168.11.1/24
ipsec ike host 192.168.100.1
ipsec pre-shared-key 192.168.100.1 text himitsu
ipsec sa policy 101 192.168.100.1 esp des-cbc md5-hmac
pp select 1
isdn remote address call 03-123-4567
ip pp route add net 192.168.100.1 2
pp enable 1
tunnel select 1
ip tunnel route add net 192.168.10.0/24 2
ipsec tunnel 101
tunnel enable 1
(設定例.4) 
       ----------+------------------- 192.168.1.0/24
                 |
                 | 192.168.1.1
            +----+----+
            |  RT102i |
            +----+----+
                 : pp local = 172.16.1.1 (SGWのアドレス)
                 : nat global = 172.16.1.2 (IPsec以外のパケットのソースアドレス)
                 : 
            +----+----+
            |  rt140i |  
            +----+----+
                 |
                 |
      -----+-----+------------------- 172.16.2.0/24
           |
           | 172.16.2.1 (SGWのアドレス)
      +----+----+
      |  RT140e |
      +----+----+
           | 192.168.0.1
           |
      -----+------------------------- 192.168.0.0/24

[RT102iの設定]
pp line l128
ip lan address 192.168.1.1
pp select leased
ip pp local address 176.16.1.1
ip pp route add net default 1
nat use on
nat masquerade on
nat address global 172.16.1.2
nat address local 192.168.1.1-192.168.1.254
pp enable leased
ipsec pre-shared-key 172.16.2.1 text himitsu
ipsec ike host 172.16.2.1
ipsec sa policy 101 172.16.2.1 esp des-cbc md5-hmac
tunnel select 1
ip tunnel route add net 192.168.0.0/24 2
ipsec tunnel 101
tunnel enable 1

[RT140eの設定]
ip lan1 address 172.16.2.1
ip lan1 routing protocol none
ip lan1 rip listen none
ip lan2 address 192.168.0.1
ip lan2 routing protocol none
ip lan2 rip listen none
ipsec pre-shared-key 172.16.1.1 text himitsu
ipsec ike host 172.16.1.1
ipsec sa policy 101 172.16.1.1 esp des-cbc md5-hmac
tunnel select 1
ip tunnel route add net 192.168.1.0/24 2
ipsec tunnel 101
tunnel enable 1
(設定例.5) 
       ----------+------------- 192.168.100.0/24
                 |
                 | 192.168.100.1 (SGWのアドレス)    
           +-----+------+
           |  RT140p(1) |
           +--+--+-+++--+
              :    :::  
              :    :::
            (BRI) (PRI) (Unnumbered)
              :    :::  (BRIはPRIのバックアップ)
              :    :::  
           +--+--+-+++--+
           |  RT140p(2) |
           +-----+------+
                 | 192.168.101.1 (SGWのアドレス)
                 |
       ----------+-------------- 192.168.101.0/24

[RT140p(1)の設定]

bri local address 1 03-123-4567
bri line 2 l128
pri leased channel 1/1 1 24
ip lan address 192.168.100.1/24
ip lan routing protocol none
ipsec ike host 192.168.101.1
ipsec pre-shared-key 192.168.101.1 text himitsu
ipsec sa policy 101 192.168.101.1 esp des-cbc md5-hmac
pp select 1
pp bind pri 1/1
ip pp route add host 192.168.101.1 2
leased backup 2
pp enable 1
pp select 2
pp bind bri 1
isdn remote address call 06-111-9999
pp enable 2
tunnel select 1
ip tunnel route add net 192.168.101.0/24 2
ipsec tunnel 101
tunnel enable 1
ipsec auto refresh on
save

[RT140p(2)の設定]

bri local address 1 06-111-9999
bri line 2 l128
pri leased channel 1/1 1 24
ip lan address 192.168.101.1/24
ip lan routing protocol none
ipsec ike host 192.168.100.1
ipsec pre-shared-key 192.168.100.1 text himitsu
ipsec sa policy 101 192.168.100.1 esp des-cbc md5-hmac
pp select 1
pp bind pri 1/1
ip pp route add host 192.168.100.1 2
leased backup 2
pp enable 1
pp select 2
pp bind bri 1
isdn remote address call 03-123-4567
pp enable 2
tunnel select 1
ip tunnel route add net 192.168.100.0/24 2
ipsec tunnel 101
tunnel enable 1